The Federal Trade Commission flagged a new breed of fraud that starts with a package nobody ordered. Inside sits a small item and a card with a QR code, along with a note urging the recipient to scan it to find out who sent the gift. Scanning that code can route people to fake websites designed to collect bank usernames, passwords, and other financial credentials, or it can trigger malware that hands attackers direct access to a phone or computer. The FBI has issued a parallel warning, and the U.S. Postal Inspection Service has given the tactic its own name: quishing, short for QR-code phishing.
Why QR codes inside surprise packages catch people off guard
Brushing scams have circulated for years. A seller ships cheap, unordered merchandise to real addresses so it can post fake verified-purchase reviews online. The new wrinkle is that scammers now tuck a QR code card inside those packages, turning a low-stakes annoyance into a direct pipeline for credential theft. The FTC’s recent consumer alert explains that scanning the code can lead to phishing sites that steal usernames, passwords, and other sensitive information, or prompt malware downloads that give attackers ongoing device access.
Physical delivery is what makes this scheme different from the QR-code scams that arrive by text or email. A tangible box on the doorstep carries an implied legitimacy that a random text message does not. Recipients naturally want to know who sent them something, and the card exploits that curiosity with simple instructions: scan here to learn more. The FBI warning notes that packages are often shipped without sender information specifically to entice scanning.
That dynamic raises a practical concern. If brushing volume stays steady or grows, each package now doubles as a phishing lure. Text-based quishing already tricks people, but a physical parcel lowers the initial suspicion barrier further, which could drive a noticeable increase in credential-harvesting complaints reported to federal agencies in the months ahead. The more normal it feels to receive surprise deliveries, the easier it becomes for attackers to slip their QR codes into the mix.
Three federal agencies, one consistent warning
The FTC, FBI, and U.S. Postal Inspection Service have each published separate advisories describing the same attack chain, and their accounts align closely. According to the U.S. Postal Inspection Service’s dedicated quishing guidance, the QR code directs victims to spoof websites that request personally identifiable information including account usernames, passwords, credit and debit card numbers, and PINs. Fake sites may impersonate banks, government agencies, or other trusted institutions, amplifying the risk that people will type in real credentials.
Investigators emphasize that the scam does not rely on a single brand or platform. Any organization with an online login page can be copied well enough to fool a hurried user. The QR code simply serves as a shortcut, bypassing the hesitation many people now feel when they see suspicious links in email or text messages. When the code arrives in a box that looks like a legitimate shipment, many of the red flags people have learned to watch for never get triggered.
The agencies also stress that the physical item in the box is usually of little to no value. It exists to legitimize the mailing and to confirm that the address is active. Once a recipient scans the code and visits the fake site, attackers can attempt to capture login details, prompt a bogus “security update” download, or steer the victim into additional scams such as phony tech-support calls or investment pitches. In some cases, the QR code may also link to a page that asks for a small “verification” payment, harvesting card numbers instead of-or in addition to-account passwords.
How to handle an unexpected package with a QR code
Federal officials urge people not to scan QR codes that arrive in unsolicited packages, even if the item itself looks harmless. If a box shows up that you did not order and includes a code promising details about the sender, the safest response is to ignore the card entirely. You can discard the mailing or, if you are concerned about identity misuse, contact the retailer named on the label using a verified phone number or website you look up yourself.
Security experts also recommend checking your online shopping accounts for unfamiliar orders and changing passwords if you suspect an address is being used in brushing schemes. Enabling multi-factor authentication on bank and retailer accounts can limit the damage if credentials are exposed. And for anyone who relies on QR codes in everyday life-such as for restaurant menus or payment apps-it is worth pausing before every scan to ask where the code came from and whether you can reach the same destination by typing a known web address instead.
The emerging quishing pattern shows how quickly criminals adapt older frauds to new technology. What began as a way to stuff review sections with fake praise has evolved into a tool for direct account takeover. With three major federal agencies now sounding the alarm, the message is straightforward: a surprise package on the porch is not a good reason to trust a QR code.
